Higher Order Correlation Attacks, XL Algorithm and Cryptanalysis of Toyocrypt Nicolas T. Courtois Cryptography research, Schlumberger Smart Cards, 36-38 rue de la Princesse, BP 45, 78430 Louveciennes Cedex, France http://www.nicolascourtois.net [email protected] Abstract. Many stream ciphers are built of a linear sequence generator and a non-linear output function f. There is an abundant literature on (fast) correlation attacks, that use linear approximations of f to attack the cipher. In this paper we explore higher degree approximations, much less studied. We reduce the cryptanalysis of a stream cipher to solv- ing a system of multivariate equations that is overdefined (much more equations than unknowns). We adapt the XL method, introduced at Eurocrypt 2000 for overdefined quadratic systems, to solving equations of higher degree. Though the exact complexity of XL remains an open problem, there is no doubt that it works perfectly well for such largely overdefined systems as ours, and we confirm this by computer simula- tions. We show that using XL, it is possible to break stream ciphers that were known to be immune to all previously known attacks. For exam- ple, we cryptanalyse the stream cipher Toyocrypt accepted to the second phase of the Japanese government Cryptrec program. Our best attack on Toyocrypt takes 292 CPU clocks for a 128-bit cipher. The interesting feature of our XL-based higher degree correlation attacks is, their very loose requirements on the known keystream needed. For example they may work knowing ONLY that the ciphertext is in English. Key Words: Algebraic cryptanalysis, multivariate equations, overde- fined equations, Reed-Muller codes, correlation immunity, XL algorithm, Gr¨obner bases, stream ciphers, pseudo-random generators, nonlinear fil- tering, ciphertext-only attacks, Toyocrypt, Cryptrec. 1 Introduction The security of most cryptographic schemes is usually based on impossi- bility to extract some secret information, given access to some encryption, signature oracles or other derived information. In most useful cases, there is no security in information-theoretic setting: the adversary has usu- ally enough information to uniquely determine the secret (or the ability) he wants to acquire. Moreover the basic problem is always (in a sense) overdefined: the adversary is assumed to have at his disposal, for example, great many plaintext and cipher text pairs, message and signature pairs, etc. He usually has available, much more than the information needed to 2 Nicolas T. Courtois, ICISC 2002, extended version just determine the secret key. Thus, one might say, most cryptographic security relies on the hardness of largely overdefined problems. In pub- lic key cryptography, the problem is addressed by provable security, that will assure that each utilization of the cryptographic scheme does not leak useful information. The security is guaranteed by a hardness of a single difficult problem, and will not degrade with the repetitive use of the scheme. However unfortunately, there is yet very little provable secu- rity in secret key cryptography. It is also in secret key cryptography that the problems become most overdefined, due to the amounts of data that are usually encrypted with one single session key. This is especially true for stream ciphers: designed to be extremely fast in hardware, they can encrypt astronomic quantities of data, for example on an optical fiber. In this paper we consider a popular class of stream ciphers, in which there is a linear part, producing a sequence with a large period (for exam- ple one or several LFSRs), and a stateless nonlinear part that produces the output, given the state of the linear part. The security of such stream ciphers have been studied by many authors. In [11], Golic gives a set of criteria that should be satisfied in order to resist to the known attacks on stream ciphers. For example, a stream cipher should resist to the fast correlation attack [15], the conditional correlation attack [1] and the in- version attack [11]. In order to resist different types of correlation attacks, many authors focused on proposing boolean functions that will have no good linear approximation and that will be correlation immune with re- gard to a subset of several input bits, see for example [3]. In this paper we will exploit rather correlation properties with regard to a non-linear low degree multivariate functions that use all of the variables, or in other words, low degree approximations. This kind of correlations has already been studied, see for example in [12, 9] but it seems that their application to cryptographic attacks did not receive sufficient attention. In this paper we explain that many constructions of stream ciphers directly give an overdefined system of multivariate equations of low de- gree. Many other can approximated with a good probability by such a system of equations. All this is not completely new, however only recently people became aware of the existence of efficient algorithms for solving some systems of multivariate equations of low degree, see [24, 6, 7]. The XL algorithm, proposed by Courtois, Klimov, Patarin and Shamir [24], al- lows to solve overdefined systems of equations much faster than expected. Later, Courtois and Pieprzyk proposed the XSL method [7], to further improve XL when the equations are sparse. In the same paper [7], authors propose to use multivariate polynomial equations to attack block ciphers Higher Order Correlation Attacks, XL and Cryptanalysis of Toyocrypt 3 such as AES. Unfortunately, these attacks are, to say the least, heuristic. In this paper we study multivariate algebraic attacks on stream ciphers. Unlike in [7], our systems of equations will be much more overdefined. We show that in this case it is possible to predict the behaviour of the XL method with precision and confidence. In this paper, using XL, we introduce a method to exploit (at least in theory) any correlation with a function of any degree, to mount an attack on a class of popular stream ciphers. Moreover we demonstrate that such attacks can be indeed faster than exhaustive search of the key for some real stream ciphers, for example for Toyocrypt. The paper is organized as follows: in Section 2 and in Appendix A we study the XL algorithm from [24] for solving multivariate quadratic equations, and extend it to equations of higher degree. In Section 3 we apply XL to the cryptanalysis of stream ciphers. In Section 4 we discuss the opportunity to use bent functions in stream ciphers. Then in Section 5 we apply our attack to Toyocrypt stream cipher. 2 The XL Algorithm In this paper we describe a rather obvious extension of the XL algorithm [24]. Instead of solving a system of m multivariate quadratic equations with n variables of degree d = 2 as in [24], we consider also higher degree equations, i.e. study the general case d ≥ 2. Let D be the parameter of the XL algorithm. Let li(x0, . , xn−1) = 0 be the initial m equations, i = 1 . m with n variables xi ∈ GF (2). The XL algorithm consists of multiplying both sides of these equations by products of variables: Definition 2.0.1 (The XL algorithm). Execute the following steps: Qk 1. Multiply: Generate all the products j=1 xij · li with k ≤ D − d, so that the total degree in the xi of these equations is ≤ D. 2. Linearize: Consider each monomial in the xi of degree ≤ D as a new variable and perform Gaussian elimination on the equations obtained in 1. The ordering on the monomials must be such that all the terms containing one variable (say x1) are eliminated last. 3. Get a Simpler Equation: Assume1 that step 2 yields at least one univariate equation in the powers of x1. Solve this equation over the finite field (e.g., with Berlekamp’s algorithm). 4. Final step: It should not be necessary to repeat the whole process. Once the value of x1 is known, we expect that all the other variables will be obtained from the same linear system. 1 Improved versions of the XL algorithm exist in which the system can still be solved even if this condition is not satisfied, see the FXL algorithm [24], and XL’ and XL2 methods described in [6]. We do not need these improvements here. 4 Nicolas T. Courtois, ICISC 2002, extended version We expect that to find one solution to the system, the complexity of XL will be essentially the complexity of one single Gaussian reduction in the step 2. 2.1 The Necessary Condition for XL to Work The XL algorithm consists of multiplying the initial m equations li by all possible monomials of degree up to D − d, so that the total degree of resulting equations is D. Let R be the number of equations generated in XL, and T be the number of all monomials. We have, (the first term is dominant): !! ! ! ! D−d n n D n n R = m · X ≈ m · ,T = X ≈ i D − d i D i=0 i=0 The main problem in the XL algorithm is that in practice not all the equations generated are independent. Let F ree be the exact number of equations that are linearly independent in XL. We have F ree ≤ R. We also have necessarily F ree ≤ T . The main heuristics behind XL is the following: it can be seen that for some D we have always R ≥ T . Then we expect that F ree ≈ T , as obviously it cannot be bigger than T . More precisely, following [24], when F ree ≥ T − D, it is possible by Gaussian elimination, to obtain one equation in only one variable, and XL will work. Otherwise, we need a bigger D, or an improved algorithm2.